.\" $OpenBSD: snmpd.conf.5,v 1.33 2015/07/18 16:30:57 reyk Exp $
.\"
.\" Copyright (c) 2007, 2008, 2012 Reyk Floeter <reyk@openbsd.org>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
.\"
.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.Dd $Mdocdate: July 18 2015 $
.Dt SNMPD.CONF 5
.Os
.Sh NAME
.Nm snmpd.conf
.Nd Simple Network Management Protocol daemon configuration file
.Sh DESCRIPTION
.Nm
is the configuration file for the
.Xr snmpd 8
daemon.
.Sh SECTIONS
The
.Nm
file is divided into three main sections:
.Bl -tag -width xxxx
.It Sy Macros
User-defined variables may be defined and used later, simplifying the
configuration file.
.It Sy Global Configuration
Global runtime settings for
.Xr snmpd 8 .
.It Sy User Configuration
USM user definitions.
.It Sy OID Configuration
Custom configuration of SNMP object identifiers and values.
.El
.Pp
The current line can be extended over multiple lines using a backslash
.Pq Sq \e .
Comments can be put anywhere in the file using a hash mark
.Pq Sq # ,
and extend to the end of the current line.
Care should be taken when commenting out multi-line text:
the comment is effective until the end of the entire block.
.Pp
Argument names not beginning with a letter, digit, or underscore
must be quoted.
.Pp
Additional configuration files can be included with the
.Ic include
keyword, for example:
.Bd -literal -offset indent
include "/etc/snmpd.conf.local"
.Ed
.Sh MACROS
Macros can be defined that will later be expanded in context.
Macro names must start with a letter, digit, or underscore,
and may contain any of those characters.
Macro names may not be reserved words (for example,
.Ic community ,
.Ic system ,
or
.Ic oid ) .
Macros are not expanded inside quotes.
.Pp
For example:
.Bd -literal -offset indent
ext_addr="192.168.0.1"
listen on $ext_addr
.Ed
.Sh GLOBAL CONFIGURATION
The following options can be set globally:
.Bl -tag -width Ds
.It Ic filter-routes Pq Ic yes | no
If set to
.Ic yes ,
ask the kernel to filter route update messages on the routing socket.
Routing table information will not be available, but CPU use will be
reduced during bulk updates.
The default is
.Ic no .
.It Ic listen on Ar address
Specify the local address
.Xr snmpd 8
should listen on for incoming SNMP messages.
.It Ic read-only community Ar string
Specify the name of the read-only community.
The default value is
.Ar public .
.It Ic read-write Pq Ic community Ar string Ic | disabled
Specify the name of the read-write community, or disallow writes completely.
The default value is
.Ar private .
.It Ic seclevel Pq Ic none | auth | enc
Specify the lowest security level that
.Xr snmpd 8
accepts:
.Bl -tag -width "auth" -offset ident
.It Ic none
Both authentication and encryption of messages is optional.
This is the default value.
.It Ic auth
Authentication of messages is mandatory.
.Xr snmpd 8
will discard any messages that don't have a valid digest.
Encryption of messages is optional.
.It Ic enc
Messages must be encrypted and must have a valid digest for authentication.
Otherwise they will be discarded.
.El
.Pp
If the chosen value is different from
.Ic none
.Xr snmpd 8
will accept only SNMPv3 requests since older versions neither support
authentication nor encryption.
.It Ic socket Qo Ar path Qc Op Ic restricted | agentx
Create a control socket at
.Ar path .
If
.Ic restricted
is specified, a restricted control socket will be created.
If
.Ic agentx
is specified, a socket which speaks the AgentX protocol will be created.
Multiple
.Ic restricted
and
.Ic agentx
sockets may be created.
By default
.Pa /var/run/snmpd.sock
is created and no other sockets are created.
.It Ic system contact Ar string
Specify the name or description of the system contact, typically a
name or an e-mail address.
The default value is
.Ar root@hostname
using the hostname of the local machine.
.It Ic system description Ar string
Specify a description of the local system.
The default value is the operating system identification as printed by the
.Xr uname 1
command using the
.Fl a
flag:
.Bd -literal -offset indent
OpenBSD myhost.example.com 4.2 GENERIC#595 i386
.Ed
.It Ic system location Ar string
Specify the string describing the location of the local system,
typically a physical location.
The default value is an empty string.
.It Ic system name Ar string
Specify the name of the local system, typically a fully-qualified
domain name.
The default value is the hostname of the local system.
.It Ic system oid Ar oid-string
Specify the authoritative identification of the local system.
The default value is
.Ar 1.3.6.1.4.1.30155.23.1
.Pq iso.org.dod.internet.private.enterprises.openbsd.23.1
identifying a common
.Ox
system.
.It Ic system services Ar number
Specify a magic value which indicates the set of services that the local
system may provide.
Refer to the
.Ar sysServices
description in the SNMP MIB for details.
.\"XXX describe the complicated services alg here
.It Ic trap community Ar string
Specify the name of the trap community.
The default value is
.Ar public .
.It Ic trap handle Ar oid Qq Ar command
Execute
.Ic command
upon receipt of an SNMP trap that begins with a prefix of
.Ic oid .
Alternately, the string
.Qq Ic default
may be used, in which case the prefix used is
.Ic 1.3 .
The invoked
.Ar command
will receive the following information about the trap on standard input,
one per line, in this order:
the resolved hostname of the host sending the trap,
the IP address of the host sending the trap,
and any variable bindings contained in the trap
(the OID followed by the value, separated by a single space).
.It Xo
.Ic trap receiver Ar string
.Op Ic oid Ar oid-string
.Op Ic community Ar string
.Xc
Specify the address or FQDN of a remote trap receiver for outgoing traps
sent by
.Xr snmpd 8 .
This option may be specified multiple times.
The daemon will send outgoing traps using the revised SNMPv2 format and the
configured trap community.
The default community is specified by the global
.Ic trap community
option.
.El
.Sh USER CONFIGURATION
Users for the SNMP User-based Security Model (USM, RFC 3414) must be
defined in the configuration file:
.Bl -tag -width xxxx
.It Xo
.Ic user Ar name
.Op Ic authkey Ar key Ic auth Ar hmac
.Op Ic enckey Ar key Ic enc Ar cipher
.Xc
Defines a known user.
The
.Ic authkey
keyword is required to specify the digest key used to authenticate
messages.
If this keyword is omitted then authentication is disabled
for this user account.
Optionally the HMAC algorithm used for authentication can be specified.
.Ar hmac
must be either
.Ic hmac-md5
or
.Ic hmac-sha1 .
If omitted the default is
.Ic hmac-sha1 .
.Pp
With
.Ic enckey
the encryption key used to encrypt and decrypt messages for privacy is defined.
Without an
.Ic enckey
specification the user account will neither accept encrypted incoming
messages nor will it encrypt outgoing messages.
The
.Ar enc
algorithm can be either
.Ic des
or
.Ic aes
and defaults to
.Ic des .
.Pp
Any user account that has encryption enabled requires authentication to
be enabled too.
.El
.Sh OID CONFIGURATION
It is possible to specify user-defined OIDs in the configuration file:
.Bl -tag -width Ds
.It Xo
.Ic oid Ar oid-string
.Ic name Ar name
.Op Ic read-only | read-write
.Op Ar type
.Ar value
.Xc
Return the specified value to the client for this OID.
The
.Ic read-write
option may allow the client to override it,
and the type is either
.Ic string
or
.Ic integer .
.El
.Sh FILES
.Bl -tag -width "/etc/snmpd.conf"
.It Pa /etc/snmpd.conf
Default location of the configuration file.
.El
.Sh EXAMPLES
The following example will tell
.Xr snmpd 8
to listen on localhost, override the default system OID, set the
magic services value and provides some custom OID values:
.Bd -literal -offset indent
listen on 127.0.0.1

system oid 1.3.6.1.4.1.30155.23.2
system services 74

oid 1.3.6.1.4.1.30155.42.1 name myName read-only string "humppa"
oid 1.3.6.1.4.1.30155.42.2 name myStatus read-only integer 1
.Ed
.Pp
The next example will enforce SNMPv3 with authenticated and encrypted
communication and the user-based security model.
The configuration defines two users,
the first one is using the
.Ic aes
encryption algorithm and the second one the default
.Ic des
algorithm.
.Bd -literal -offset indent
seclevel enc

user "hans" authkey "password123" enc aes enckey "321drowssap"
user "sophie" authkey "password456" enckey "654drowssap"
.Ed
.Sh SEE ALSO
.Xr snmpctl 8 ,
.Xr snmpd 8
.Sh HISTORY
The
.Nm
file format first appeared in
.Ox 4.3 .
.Sh AUTHORS
The
.Xr snmpd 8
program was written by
.An Reyk Floeter Aq Mt reyk@openbsd.org .
